| Search |
| Navigation |
|
|
| Syndicate |
|
| User login |
privacy
NCSL Supports The Identification Security Enhancement Act of 2007:
However, lacking the full policy and financial commitment of the federal government to ensure the success of the state-federal partnership needed to make REAL ID possible, NCSL now calls upon Congress to repeal REAL ID and reinstate the negotiated rule-making process. This approach will achieve our shared goals for security in a manner that respects states’ rights, privacy protections, and fiscal responsibility.
S.717, which I previously covered in its 2006 form, would bring back the negotiated rulemaking and return to the states the authority to preserve their own privacy regimes.
Keep your fingers crossed.
(Via Jim Harper.)
Jay Goldman has written an excellent description of Facebook Beacon.
The long-and-short of it?
- When you're done using Facebook, log out of Facebook. If you're not logged into Facebook, Facebook effectively rejects Beacon info. (Note that because you've probably got lingering Facebook cookies even after logging out, Facebook still knows who you are and where you're coming from. At this point, it appears that they terminate the rest of the Beacon setup.)
- If you are logged in to Facebook, don't ever go anywhere else unless you want Facebook to know about it and potentially publish it. Facebook knows about every transaction sent by a cooperating site, even if you've chosen not to publish it.
- Consider AdBlockPlus on Firefox; other suggestions for IE are in the post.
The Beacon functionality is really pretty elegant, but it's useful to note that "Beacon" is an excellent name. Like other web beacons or web bugs, it uses embedded JavaScript, effectively tracking your movements around the web in very much the same way that modern web tracking applications do so. In essence, Facebook is making itself a web analytics service for advertisers.
The irony here is that the information collected by Facebook is likely far more valuable than the publication of that information and whatever ad revenue they may get from it. However, to get advertisers to buy in, they needed the Beacon profile entries. But just imagine being able to track the flow of collaborative purchasing information. Imagine I buy a Diet Coke, and that gets published to my profile. Suddenly, members in one of my Facebook groups starts buying Diet Coke shortly after my purchase is published. Not only can Facebook tout its ability to spread the word about the Diet Coke thing, but it also can tell Coca Cola the characteristics (including n-orders of social graph characteristics) of those who buy Diet Coke.
Powerful stuff. Scary. But Powerful.
Definition Changing for People's Privacy:
Privacy no longer can mean anonymity, says Donald Kerr, the principal deputy director of national intelligence. Instead, it should mean that government and businesses properly safeguard people's private communications and financial information.
How lovely for Kerr to think that way. You silly Americans; let me tell you what you can have. What should happen is that our intelligence and law enforcement agencies need to work within the confines of our Constitution and laws. If they can't work within those confines, they need to show why they can't, so we can consider going about the business of amending the Constitution.
One problem with the land grab like the one Kerr describes is that there's been no evidence presented that it's either necessary or useful. Instead, what evidence exists shows that it's a crutch, violating our traditional notions of privacy with little benefit.
The other -- huge! -- problem is that the government cannot be trusted to properly safeguard private communications and financial information. That has been made clear in recent years. Business is even worse, unless it's strategically competitive information, of course.
Perhaps the definition that needs to be changed defines suitable government employees. Rather than the Kerrs and Chertoffs, who feel it is their position to determine what we can demand, we need people who will recognize that a Constitution and body of privacy protection laws exists, and that their inability to do their jobs without dreaming up ways around those things suggests their incompetence, not a need for the American people to change how they live their lives.
Until yesterday, my paper on Fourth Amendment and statutory protections against interception of Internet communications had little directly related case law. Now I have the Ninth Circuit's decision in U.S. v. Forrester, in the matter of the second defendant, Alba. When I first read the headline, I was a bit concerned. After reading the rest of Prof. Solove's commentary, as well as the opinion itself, I am no longer.
That is to say, I am no longer concerned about the state of my paper. I am concerned about where the courts are going to take constitutional protections on the Internet. Many of my complaints continue to come down to many of the overly simplistic analyses of email transport on the Internet. Prof. Solove trumpets Prof. Kerr's work in the above post:
Orin Kerr has usefully analogized the distinction between the non-content / content information to that between an envelope and the contents of a letter. The envelope contains addressing information that is exposed to others; the contents of the letter are concealed. Envelope information falls outside Fourth Amendment protection, but content information is fully protected by the Fourth Amendment.
Kerr's work does often make this distinction, but it often does so with an apparent misunderstanding of how email transportation works. Judge Fisher, in the Forrester decision, follows a path of similar technical missteps.
First, e-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users’ imputed knowledge that their calls are completed through telephone company switching equipment. 442 U.S. at 742. Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties.
In fact, all telephone users rely on third-party equipment. However, there are decided differences between telephone numbers opening a circuit and the routers that route traffic to destination IP addresses. But the problem runs deeper, and this is a significant complaint of mine in the literature. This peering of email and Internet use, as if sending an email is somehow different, is what allows for this butchery. For instance, the next paragraph begins:
Second, e-mail to/from addresses and IP addresses constitute addressing information and reveal no more about the underlying contents of communication than do phone numbers.
An Internet email address without an IP network attached goes nowhere.
There is a useful (to me) diversion into an email/snail mail comparison:
The government’s surveillance of e-mail addresses also may be technologically sophisticated, but it is conceptually indistinguishable from government surveillance of physical mail. In a line of cases dating back to the nineteenth century, the Supreme Court has held that the government cannot engage in a warrantless search of the contents of sealed mail, but can observe whatever information people put on the outside of mail, because that information is voluntarily transmitted to third parties.
. . .
E-mail, like physical mail, has an outside address “visible” to the third-party carriers that transmit it to its intended location, and also a package of content that the sender presumes will be read only by the intended recipient. The privacy interests in these two forms of communication are identical. The contents may deserve Fourth Amendment protection, but the address and size of the package do not.
Oh, it does, indeed. Email has an outside address called an IP address. But beyond that, it has outside addresses called envelope addresses, as specified by the RFCs. These, the technical envelope specifications, are ignored in the literature, but they are key to using Prof. Kerr's envelope terminology. For something to be an envelope, it must surely have an impact on the delivery of a message. The RFC content of a message has no bearing on delivery, yet Prof. Kerr (and now the Ninth Circuit) appear to be perfectly willing to allow it to be intercepted.
And so, this is just another lousy decision, crafted not with an understanding of Internet communications, but with the more typical understanding, that seems to reflect the belief that a "send button" magically whisks an email message to some remote spot on the globe. In the case of the Ninth Circuit, that spot appears to be someplace that need not have even heard of IP addresses.
As I've previously written, what I consider a key flaw in current analysis of Fourth Amendment (and Electronic Communications Privacy Act) protections against interception of Internet communication is that it takes a narrow view of what constitutes communication on the Internet. The standard is "any information" that concerns the substance, meaning, or purport of a communication.
We should look to other forms of communication to arrive at a reasonable definition of Internet communication. I've suggested voice as the most pervasive. We don't permit the recording of waveforms of speech and only exclude transcripts. Without a warrant, the government may not record a telephone conversation.
When a person sends an email message, that form of communication is chosen, for whatever reason, over a telephone call. While the propagation of sound is required for meaningful oral communication by telephone, the propagation of properly formatted SMTP commands and RFC 822 message bodies are required for comprehension of the stream of bytes comprising an email message. Without that formatting, there is no substance, purport, or meaning of an email. In many cases, it won't be delivered at all.
The SMTP commands that transport a message across the Internet are, therefore, comparable to the use of voice to communicate across a telephone line. The courts and the Congress don't allow the recording of the electrical underpinnings that make up that voice communication. It makes little sense to allow recording of the commands and formatting that make up an email message.
If I can get to a point where I can substantively establish this, it becomes clear that what follows is protection of the application layer.
Did Real ID bring down immigration reform? That's probably not the right way to put it.
Are the forces of evil (Sensenbrenner, et al) so incredibly gung ho to track the details of every American who chooses to work that they'll scuttle immigration reform rather than see Real ID go down the tubes? The answer appears to be yes. However, the problem is deeper than immigration; it may extend to your ability to find work, change jobs, and in turn, move freely about the country.
Declan describes how attempted to kill Real ID in the current immigration reform efforts brought a halt to the process in his article, National ID plan may have killed immigration bill:
Privacy advocates were quick to claim that a vote against Real ID cards the previous evening doomed the bill.
Wednesday's vote showed that senators were willing to delete the portion of the labyrinthine immigration bill that would require employers to demand the Real ID cards from new hires. Because some of the bill's backers had insisted that the ID requirement remain in place--as a way to identify illegal immigrants--they were no longer as willing to support the overall bill.
Commentary in that article also comes from the Cato Institute's Jim Harper:
"The proponents of national ID in the Senate weren't getting what they wanted, so they backed away," said Jim Harper, a policy analyst at the free-market Cato Institute who opposes Real ID. "It was a landmine that blew up in their faces."
(By the way, if you're looking for an easy-to-read book with broad coverage of identity issues, I recommend Harper's Identity Crisis: How Identification is Overused and Misunderstood.)
However, it's important to note that another key facet of this immigration reform bill came in the form of pre-employment verification. A database of huge importance that would be run by, of all agencies, the Department of Homeland Security, employers would be forced to query the database preferably before, but certainly shortly after you went to work. In this Huffington Post entry, the ACLU's Caroline Fredrickson explains the system:
For instance, Title III of the bill expands the error-plagued Employment Eligibility Verification System (EEVS), creating a vast federal database to verify the eligibility to work of all job applicants in America -- including U.S. citizens. This expansive system would contain extraordinary amounts of personal information on everyone who seeks or holds a job, all of it keyed to a person's Social Security number. If the immigration bill passes as written, all Americans will need to have their eligibility to work approved by the Department of Homeland Security. Invariably, DHS will confuse the files of people with similar names or use outdated or erroneous information to deny people the right to work, creating a 'No Work List' similar to the government's 'No Fly List.' They have testified that they will need to "manually reverify" the work-eligibility of eight percent of all workers.
So, we can't get passports out to people to travel, but we'll certainly be able to manually verify 80% of the legally working population in no time. No doubt.
John Gilmore paints a much scarier picture of the growing "In DHS We Trust" phenomenon:
The attempt to force a process of "get federal permission to hire FIRST" on the country is eerily parallel to the DHS proposal to require airlines to "get federal permission to transport FIRST". Today, airlines can bring you to the US without permission, but they are liable for the cost of carrying you elsewhere if the US won't admit you. This naturally limits their willingness to bring random people -- but allows people to come and apply for asylum, for example. The Gestapo announced months ago that they plan to change this to require each passenger's info to be submitted long before the plane takes off, getting an affirmative "OK", or else the passenger would not be allowed on board at all. As with other federal watchlist checks, this would come with zero due process protection for the passenger, and zero accountability for the government. If they mysteriously keep saying "No", there's nothing that you as a citizen could do to get back into your own country. They wouldn't even have to jail or detain you, such that a lawyer could go to court with some urgency to spring you. No, YOU would have to sue THEM, and it would take years in the courts.
In our fervor to regulate and control immigration, we've got to be very wary of those in our legislature who would like to use this opportunity to regulate and control the rest of us. As Senators Max Baucus and Jon Tester said after the immigration bill was eventually put out of its misery:
"We scored a major victory today in our efforts to protect privacy and defeat a bad immigration bill at the same time," said Baucus, Montana’s senior U.S. Senator. "If Jon and I just brought down the entire bill, that’s good for Montana and the country."
...
"If by fighting to keep government out of people’s private lives, Max Baucus and I stopped the senate from passing this flawed immigration bill, then this was a real victory for Montana and the American people," Tester said.
Indeed.
Dialing, routing, addressing, and signaling. Pen registers and trap-and-trace devices are devices that may be used to collect the non-content portions of a communication. As I've previously written, contents refers to "any information concerning the substance, purport, or meaning" of a communication. Therefore, non-content dialing, routing, addressing, and signaling information is necessarily such information that does not concern any such information about a communication. Simple enough, right?
Well, it seemed simple enough to Congress. They proceeded with the intention to call an "email address" a communications "facility," moving it into the definitions of pen registers and trap-and-trace devices. This involves a convoluted notion that one communicates from email address to email address, much as one communicates from phone to phone. Obviously, this is nonsense, but that hasn't stopped law enforcement from seizing upon this expansion.
However, let's assume for a minute that an email address actually is a communications facility unto itself, and that when we communicate via email, the endpoints are actually email addresses. If we focus solely on the real-time interception of non-content information of an email communication, what is "dialing, routing, addressing, and signaling" information, and what is "any content concerning the substance, purport, or meaning" of that communication? Remember, this is still a message in transit across the Internet.
Here's what we know. Before the email message can be sent, there is already going to be a TCP connection established between the sending computer and the receiving computer. Only after the TCP connection is established may the actual communication take place. When that message gets to the remote computer, that remote computer is going to have to receive it, most likely via the SMTP. In this day and age of heavy spam and other deviousness online, it is very likely that the message is going to have to be formatted somewhat well in order to be delivered.
In order for a message to be properly formatted for receipt by the remote computer, the sending computer will send SMTP commands, continuing to send others, followed by the actual content of the message being sent, in response to replies from the remote computer. The sending computer will give, at a minimum, its name, the email address that is sending the message, the email address that is the destination of the message, and finally, the message. If these steps aren't followed, the message will not be delivered.
But there's more. Once a message is delivered, for a communication to be complete, the message must be read. There are many things that may be carried in a message to allow it to be understood. Obviously, the body of the message allows it to be understood. But we're concerned, also, with any information that concerns the substance, purport, or meaning of the message.
In a telephone call, a great deal of substance, purport, or meaning may be derived from the voice of the communicator. In email, there is no such voice. However, the sending address certainly gives a message voice. The personalizable "From:" header my also lend such a voice. Bayesian spam filters assign scores to a message based on tokens in the headers, and these can also lend a voice, as can such headers as message priorities and the "Received:" headers, which allow a message to be traced and in many mail programs, is used to sort messages by date (and not the "Date:" header.)
In short, the proper use of SMTP commands, the email addresses and addressing, as well as received headers and the nature of the contents of the headers all lend substance, purport, and meaning to a message. However, under the most common interpretations of the current laws, all of those pieces of content may be readily obtained by law enforcement agents under the Pen Register Act.
[The following was largely spawned by a Cyberspace Law class last night, and the repeated suggestions that we must authenticate users before we allow them to "use the Internet" so that we may track down evildoers.]
Are we really heading toward the end of a (relatively) anonymous Internet? I don't think so.
To properly answer this, it's important to consider how the Internet is constructed. Sure, you'll often read accounts of your data traveling across the Internet's "backbone." The problem is, there isn't a single backbone. The internetwork that is the Internet is comprised of numerous independent network backbones that interconnect. For any one node on any one of those backbones to identify with any certainty the sender of a packet would require a vast identity infrastructure that simply is nowhere near existence. However, it's possible that this extreme example of the impossibility of defeating anonymity is more than what some consider necessary. In fact, I know it is, based on class discussion.
Let's take another popular example that has been used: all users must authenticate their identities before they are allowed to "connect to the Internet." The obvious first question I have to ask is "To whom must they authenticate?" This is not an easy question to answer.
Is the answer the user's Internet Service Provider? If so, who's going to mandate that? If it's the ISP who mandates this, what other limitations of service will the ISP then have to place on the user to enforce this authentication? A user who wishes to remain anonymous will simply tunnel traffic through an anonymizing conduit, whether this is an application like TOR, or wilder approaches like tunneling one application layer protocol through another.
This raises another problem: who authenticates the conduit? Not all Internet "users" are discrete individuals. Many are servers providing services, remote access devices providing connectivity, or bots gathering and processing data. Who authenticates every process that connects to the Internet? Who do these processes authenticate to?
Finally, are users going to be expected to authenticate to every peer process? This suggests that every process and every user on the Internet will use a single authentication mechanism, or sufficient federation will have to exist for these authentications to take place. Who's going to write the software that allows the millions of autonomous servers, routers, switches, and other devices connected to the Internet to be able to carry out these authentications so that anonymous actors may eventually be identified?
My point is this: until everything authenticates, there is no forced, universal authentication to "connect" to the Internet. As long as unauthenticated systems exist, and as long as owners of some of those systems prize anonymity, a step as limited as forcing users to properly authenticate to an ISP before using the Internet (a concept that has still more questions) will not kill one's ability to act anonymously, nor will it lead to discoverable identification of anonymous sources.
All of these problems demonstrate that identification checks based on Real ID won’t be nearly as secure as we might hope. But the main problem with any strong identification system is that it requires the existence of a database. In this case, it would have to be 50 linked databases of private and sensitive information on every American -- one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.The security risks of this database are enormous. It would be a kludge of existing databases that are incompatible, full of erroneous data, and unreliable. Computer scientists don’t know how to keep a database of this magnitude secure, whether from outside hackers or the thousands of insiders authorized to access it.
And yet, there's a group that will carry on insisting that this is something we must have. We open ourselves up to theft of identity information on a grand scale, and for what? As Schneier continues:
Even worse, as soon as you divide people into two categories -- more trusted and less trusted people -- you create a third, and very dangerous, category: untrustworthy people whom we have no reason to mistrust. Oklahoma City bomber Timothy McVeigh; the Washington, DC, snipers; the London subway bombers; and many of the 9/11 terrorists had no previous links to terrorism. Evildoers can also steal the identity -- and profile -- of an honest person. Profiling can result in less security by giving certain people an easy way to skirt security.
So, we do all of this Real ID nonsense, and what do we get? Oh, right. Less security. Along with the false sense of security, we also receive diminished privacy, heightened risks to privacy, greater government aggregation of data that is is unlikely to be able to manage, and just generally a worse situation than we had before.
Update: See my follow-up, covering the actual text leading to these suggestions. It's not quite as bad as suggested. It still ain't great.
If the following is actually correct, the Department of Homeland Security is even more worthless than I could have imagined.
The Department of Homeland Security has finished their proposed regulations for implementing the Real ID Act and has sent them to the Office of Management and Budget for approval. The publication of DHS's REAL ID regulations will follow shortly. The compliance guidelines are almost one year overdue.According to a still-secret several hundred-page dossier sent last week by DHS to the Office of Management and Budget, DHS considered three ways to implement the REAL ID Act:
Plan A: Order the individual states to find a way of communicating data to one another. This idea was given short shrift by DHS, who dismissed it out of hand.
Plan B: Have DHS build a centralized database for the states to query before issuing REAL ID-compliant drivers licenses. This idea was also rejected.
Plan C: Have a private data aggregator act as the central database. This is the plan advocated by DHS. The plan calls for the outsourcing of all drivers license and ID card checks to a private corporation, who would then charge the states for each check performed. DHS head Michael Chertoff personally ordered this option to be chosen, according to a senior administration source.
One would hope that this would be the final nail in the Real ID coffin, and this would surely bring about swift introduction of the Akaka-Sununu Identification Security Enhancement Act of 2006.
Given the poor data protection histories of the commercial data aggregators, not to mention their incredibly poor histories of data matching, the very idea of them being called upon to manage aggregation of all of the drivers databases sounds more like a cruel joke. There may be more interesting issues.
To begin with, the Real ID Act doesn't call for a large database of driver's license data. In order to issue Real ID-compliant driver's licenses, states must:
(12) Provide electronic access to all other States to
information contained in the motor vehicle database of the
State.
(13) Maintain a State motor vehicle database that contains,
at a minimum--
(A) all data fields printed on drivers' licenses and
identification cards issued by the State; and
(B) motor vehicle drivers' histories, including
motor vehicle violations, suspensions, and points on
licenses.
Driver's license database information is commercial information owned by the states. This is clear from Reno v. Condon:
The motor vehicle information which the States have historically sold is used by insurers, manufacturers, direct marketers, and others engaged in interstate commerce to contact drivers with customized solicitations. The information is also used in the stream of interstate commerce by various public and private entities for matters related to interstate motoring. Because drivers’ information is, in this context, an article of commerce, its sale or release into the interstate stream of business is sufficient to support congressional regulation.
There were already some questions hanging around (most dismissed by commentators) about the Constitutionality of allowing the federal government to require states to grant other states access to their own commercial items without compensation in order to comply with the Real ID Act. Permitting commercial data aggregators to take possession or ownership of that state property without compensation is somewhat more egregious. As things now, those aggregators would be forced to purchase that information from the states; at least in that instance, the coffers of the states are gaining something to help cover the maintenance of that data. Under this plan, it would seem plausible (especially if the aggregators "accidentally" released the information into the public domain) that the states would simply be forced to give it away. This may raise greater Constitutional questions about those portions of the Real ID Act.
It makes the security aspect even worse.
It likely removes the (feckless) Privacy Act and the Computer Matching and Privacy Protection Act from the mix.
In short, I'm currently even a bit skeptical that even the inept Department of Homeland Security could proffer a suggestion as ludicrous as this one; I can't wait to see the actual proposed regulations to find out if it's true.
| Browse archives |
| IP/Tech Blawgs |
| Other Blawgs |
| Friends |
| USF Law Blawgs |